Noticias ElcomSoft

09/11/2017

iOS Forensic Toolkit 2.40 is updated with enhanced support for lockdown records, enabling forensic experts to extract more information from locked down iPhones and iPads in “cold boot” situations. The new release can access advanced device information through the use of lockdown records even if the device is completely locked down and has never been unlocked since powered on or rebooted.

iOS Forensic Toolkit 2.40 extends the use of lockdown (pairing) records for the purpose of extracting additional device info from iPhone and iPad devices that are locked with an unknown passcode. In particular, the new build extracts more information from iOS devices that are locked and have never been unlocked after being powered off or rebooted (the “cold boot” situation). The ability to use lockdown records for extracting information from locked devices in “cold boot” state can be extremely important for investigations.

Device model and name

iOS version and build number

Device ID

MAC addresses of the phone’s Wi-Fi and Bluetooth adapters

ICCI/IMEI/IMSI and phone number

Whether or not an iTunes backup password is enabled

Date and time of last iTunes and iCloud backups

List of synced accounts including email address for Google accounts

Various bits such as total and available disk space, time zone and language settings

If the iOS device has been unlocked at least once, iOS Forensic Toolkit 2.40 can additionally extract comprehensive information about the apps installed on the device. This includes app names and versions, access permissions, as well as the names of their data folders. While this information is also available via full local backups, a local backup may come out encrypted with an unknown password, in which case the data will be encrypted unless the password is known.